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Abstract 

Entropic uncertainty relations are quantitative characterizations of Heisenberg's 
uncertainty principle, which make use of an entropy measure to quantify uncertainty. 
In quantum cryptography, they are often used as convenient tools in security proofs. 

We propose a new entropic uncertainty relation. It is the first such uncertainty 
relation that lower bounds the uncertainty in the measurement outcome for all but one 
choice for the measurement from an arbitrarily large (but specifically chosen) set of 
possible measurements, and, at the same time, uses the min-entropy as entropy mea- 
sure, rather than the Shannon entropy. This makes it especially suited for quantum 
cryptography. 

As application, we propose a new quantum identification scheme in the bounded- 
quantum-storage model. Because the scheme requires a perfectly single-qubit source 
to operate securely, it is currently mainly of theoretical interest. Our new uncertainty 
relation forms the core of the new scheme's security proof in the bounded-quantum- 
storage model. In contrast to the original quantum identification scheme proposed 
by Damgard et al., our new scheme also offers some security in case the bounded- 
quantum-storage assumption fails to hold. Specifically, our scheme remains secure 
against an adversary that has unbounded storage capabilities but is restricted to non- 
adaptive single-qubit operations. The scheme by Damgard et al., on the other hand, 
completely breaks down under such an attack. 

NJB is supported by an NWO Open Competition grant. CGG is supported by Spanish 
Grants I-MATH, MTM2008-01366, QUITEMAD and QUEVADIS. CS is supported by an 
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1 Introduction 



1.1 A New Uncertainty Relation 

In this work, we propose and prove a new general entropic uncertainty relation. Uncer- 
tainty relations are quantitative characterizations of the uncertainty principle of quantum 
mechanics, which expresses that for certain pairs of measurements, there exists no state 
for which the measurement outcome is determined for both measurements: at least one 
of the outcomes must be somewhat uncertain. Entropic uncertainty relations express this 
uncertainty in at least one of the measurement outcomes by means of an entropy measure, 
usually the Shannon entropy. Our new entropic uncertainty relation distinguishes itself 
from previously known uncertainty relations by the following collection of features: 

1. It uses the min-entropy as entropy measure, rather than the Shannon entropy. Such 
an uncertainty relation is sometimes also called a high-order entropic uncertainty 
relation^] Since privacy amplification needs a lower bound on the min-entropy, high- 
order entropic uncertainty relations are useful tools in quantum cryptography. 

2. It lower bounds the uncertainty in the measurement outcome for all but one mea- 
surement, chosen from an arbitrary (and arbitrarily large) family of possible mea- 
surements. This is clearly stronger than typical entropic uncertainty relations that 
lower bound the uncertainty on average (over the choice of the measurement). 

3. The measurements can be chosen to be qubit-wise measurements, in the computa- 
tional or Hadamard basis, and thus the uncertainty relation is applicable to practical 
schemes (which can be implemented using current technology). 

To the best of our knowledge, no previous entropic uncertainty relation satisfies ([T|) 
and ^) simultaneously, let alone in combination with @. Indeed, as pointed out in a 
recent overview article by Wehner and Winter |WW10| . little is known about entropic 
uncertainty relations for more than two measurement outcomes, and even less when addi- 
tionally considering min-entropy. 

To explain our new uncertainty relation, we find it helpful to first discuss a simpler 
variant, which does not satisfy (HJ, and which follows trivially from known results. Fix an 
arbitrary family {£>i, . . . ,B m } of bases for a given quantum system (i.e., Hilbert space). 
The maximum overlap of such a family is defined as 

c:=max{|(0|<0)| : \4>) &Bj,\ip) £ B k , 1 < j < k < m}, 

and let d := — log(c 2 ). Let p be an arbitrary quantum state of that system, and let X 
denote the measurement outcome when p is measured in one of the bases. We model the 
choice of the basis by a random variable J, so that H(X\J = j) denotes the Shannon en- 
tropy of the measurement outcome when p is measured in basis Bj . It follows immediately 
from Maassen and Uffink's uncertainty relation |MU88j that 

H(X\J = j) + H{X\J = k)> -log(c 2 ) =d Vj / k. 

As a direct consequence, there exists a choice f for the measurement so that H(X\J = 
j) > I for all j £ {1, . . . , m} with j ^ j' . In other words, for any state p there exists 

lr This is because the min-entropy coincides with the Renyi entropy H a of high(est) order a = oo. In 
comparison, the Shannon entropy coincides with the Renyi entropy of (relatively) low order a = 1. 
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f so that unless the choice for the measurement coincides with j' , which happens with 
probability at most max.,- Pj(J), there is at least d/2 bits of entropy in the outcome X. 

Our new high-order entropic uncertainty relation shows that this very statement es- 
sentially still holds when we replace Shannon by min-entropy, except that j' becomes 
randomized: for any p, there exists a random variable J' , independent of J, such tliatH] 

H min (X\J=j, J'=f) > i V j ^ f € {1, . . . ,m} 

no matter what the distribution of J is. Thus, unless the measurement J coincides with 
J' , there is roughly d/2 bits of min-entropy in the outcome X. Furthermore, since J' is 
independent of J, the probability that J coincides with J' is at most max.,- Pj(j), as is the 
case for a fixed J' . 

Note that we have no control over (the distribution of) J' . We can merely guarantee 
that it exists and is independent of J. It may be insightful to interpret J' as a virtual guess 
for J, guessed by the party that prepares p, and whose goal is to have little uncertainty 
in the measurement outcome X. The reader may think of the following specific way of 
preparing p: sample j' according to some arbitrary distribution J' , and then prepare the 
state as the, say, first basis vector of By . If the resulting mixture p is then measured in 
some basis Bj, sampled according to an arbitrary (independent) distribution J, then unless 
j = f (i.e., our guess for j was correct), there is obviously lower bounded uncertainty in 
the measurement outcome X (assuming a non-trivial maximum overlap). Our uncertainty 
relation can be understood as saying that for any state p, no matter how it is prepared, 
there exists such a (virtual) guess J', which exhibits this very behavior: if it differs from 
the actual choice for the measurement then there is lower bounded uncertainty in the 
measurement outcome X. As an immediate consequence, we can for instance say that X 
has min-entropy at least d/2, except with a probability that is given by the probability of 
guessing J, e.g., except with probability 1/m if the measurement is chosen uniformly at 
random from the family. This is clearly the best we can hope for. 

We stress that because the min-entropy is more conservative than the Shannon entropy, 
our high-order entropic uncertainty relation does not follow from its simpler Shannon- 
entropy version. Neither can it be deduced in an analogous way; the main reason being 
that for fixed pairs j ^ k, there is no strong lower bound on H min (X\ J=j)+H min (X\ J = k), 
in contrast to the case of Shannon entropy. More precisely and more generally, the average 
uncertainty j-jy J2j H min (X\J = j) does not allow a lower bound higher than log|J|. To 
see this, consider the following example for | J| = 2 (the example can easily be extended 
to arbitrary | J|). Suppose that p is the uniform mixture of two pure states, one giving no 
uncertainty when measured in basis j, and the other giving no uncertainty when measured 
in basis k. Then, ^H min (X\ J = j) + ^H min (X\ J = k) = 1. Because of a similar reason, we 
cannot hope to get a good bound for all but a fixed choice of f; the probabilistic nature 
of J' is necessary (in general). Hence, compared to bounding the average uncertainty, 
the all-but-one form of our uncertainty relation not only makes our uncertainty relation 
stronger in that uncertainty for all-but-one implies uncertainty on average (yet not vice 
versa), but it also allows for more uncertainty. 

By using asymptotically good error-correcting codes, one can construct families of 
bases that have a large value of d, and thus for which our uncertainty relation guarantees 
a large amount of min-entropy (we discuss this in more detail in Section 13. 2\i . These 
families consist of qubit-wise measurements in the computational or the Hadamard basis, 
hence these measurements can be performed with current technology. 

2 The rigorous version of the approximate inequality > is stated in Theorem [9] 
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The proof of our new uncertainty relation comprises a rather involved probability 
reasoning to prove the existence of the random variable J' and builds on earlier work 
presented in jSch07j . 



1.2 Quantum Identification with "Hybrid" Security 

As an application of our entropic uncertainty relation, we propose a new quantum identi- 
fication protocol. Informally, the goal of (password-based) identification is to prove knowl- 
edge of a possibly low-entropy password w, without giving away any information on w 
(beyond what is unavoidable) . In |DFSS07] , Damgard et al. showed the existence of such 
an identification protocolin the bounded- quantum- storage model (BQSM). This means that 
the proposed protocol involves the communication of qubits, and security is proven against 
any dishonest participant that can store only a limited number of these qubits (whereas 
legitimate participants need no quantum storage at all to honestly execute the protocol). 

Our uncertainty relation gives us the right tool to prove security of the new quantum 
identification protocol in the BQSM. The distinguishing feature of our new protocol is 
that it also offers some security in case the assumption underlying the BQSM fails to 
hold. Indeed, we additionally prove security of our new protocol against a dishonest 
server that has unbounded quantum-storage capabilities and can reliably store all the 
qubits communicated during an execution of the protocol, but is restricted to non-adaptive 
single-qubit operations and measurements]! This is in sharp contrast to protocol QID by 
Damgard et al, which completely breaks down against a dishonest server that can store all 
the communicated qubits in a quantum memory and postpone the measurements until the 
user announces the correct measurement bases. On the downside, our protocol only offers 
security in case of a perfectly single-qubit (e.g. single-photon) source, because multi-qubit 
emissions reveal information about w. Hence, given the immature state of single-qubit- 
source technology at the time of this writing, our protocol is currently mainly of theoretical 
interest. 

We want to stress that proving security of our protocol in this single-qubit- operations 
model (SQOM) is non-trivial. Indeed, as we will see, standard tools like privacy ampli- 
fication are not applicable. Our proof relies on a certain minimum-distance property of 
random binary matrices and makes use of Diaconis and Shahshahani's XOR inequality 
(Theorem [H see also |Dia88j ). 



1.3 Related Work 

The study of entropic uncertainty relations, whose origin dates back to 1957 with the 
work of Hirschman [HJ57| , has received a lot of attention over the last decade due to their 
various applications in quantum information theory. We refer the reader to [WW10] for a 
recent overview on entropic uncertainty relations. Most of the known entropic uncertainty 
relations are of the form 

|l^# a (X|J=i)>fr, 

3 

where H a is the Renyi entropyQ I.e., most uncertainty relations only give a lower bound 
on the entropy of the measurement outcome X on average over the (random) choice 

3 It is known that some restriction is necessary (sec DFSS07 ). 

4 The Renyi entropy |Ren61| is defined as H a (X) := log £^ Px{x) a . Nevertheless, for most known 
uncertainty relations a = 1, i.e. the Shannon entropy. 
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of the measurement. As argued in Section 11.11 the bound h on the mm-entropy can 
be at most log|J|, no matter the range of X. Furthermore, an uncertainty relation of 
this form only guarantees that there is uncertainty in X for some measurement (s), but 
does not specify precisely for how many, and certainly it does not guarantee uncertainty 
for all but one measurements. The same holds for the high-order entropic uncertainty 
relation from [DFR + 07 , which considers an exponential number of measurement settings 
and guarantees that except with negligible probability over the (random) choice of the 
measurement, there is lower-bounded min-entropy in the outcome. On the other hand, the 
high-order entropic uncertainty relation from [DFSS05] only considers two measurement 
settings and guarantees lower-bounded min-entropy with probability (close to) ^. 

The uncertainty relation we know of that comes closest to ours is Lemma 2.13 in |FHS11| . 
Using our notation, it shows that X is e-close to having roughly d/2 bits of min-entropy 
(i.e., the same bound we get), but only for all but an e- fraction of all the m possible choices 
for the measurement j, where e is about 

With respect to our application, backing up the security of the identification proto- 
col by Damgard et al. [DFSS07] against an adversary that can overcome the quantum- 
memory bound assumed by the BQSM was also the goal of |DFL + 09] . However, the 
solution proposed there relies on an unproven computational-hardness assumption, and 
as such, strictly speaking, can be broken by an adversary in the SQOM, i.e., by storing 
qubits and measuring them later qubit-wise and performing (possibly infeasible) classical 
computations. On the other hand, by assuming a lower bound on the hardness of the un- 
derlying computational problem against quantum machines, the security of the protocol 
m (DFL+09) holds against an adversary with much more quantum computing power than 
our protocol in the SQOM, which restricts the adversary to single-qubit operations. 

We hope that with future research on this topic, new quantum identification (or other 
cryptographic) protocols will be developed with security in the same spirit as our protocol, 
but with a more relaxed restriction on the adversary's quantum computation capabilities, 
for instance that he can only perform a limited number of quantum computation steps, 
and in every step he can only act on a limited number of qubits coherently. 



2 Preliminaries 
2.1 Basic Notation 

Sets as well as families are written using a calligraphic font, e.g. A,X, and we write |.4| 
etc. for the cardinality. We use [n] as a shorthand for {1, . . . , n}. 

For an ra-bit vector vector v = (v±, . . . ,v n ) in {0, l} n , we write \v\ for its Hamming 
weight, and, for any subset IC [n], we write vx for the restricted vector (f j), e x G {0, 1}\ X \. 
For two vectors v,w € {0, l} n , the Schur product is defined as the element-wise product 
vQw := (v\Wi,V2W2, ■ ■ ■ ,v n w n ) € {0, l} n , and the inner product between v and w is given 
by v ■ w := v±wi © • • • © v n w n G {0, 1}, where the addition is modulo 2. We write span(F) 
for the row span of a matrix F; the set of vectors obtained by making all possible linear 
combinations (modulo 2) of the rows of F, i.e. the set {sF : Vs € {0, 1} }, where s should 
be interpreted as a row vector and sF denotes a vector- matrix product. 
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2.2 Probability Theory 



A finite probability space is a non-empty finite set f2 together with a function Pr : £1 — > M 
such that Pr(w) > Voj G f2 and ^ we ^ Pr(w) = 1. An event is a subset of Q. A random 
variable is a function AT : Q — > X from a finite probability space (Q, Pr) to a finite set 
X. We denote random variables as capital letters, for example A, Y, Z. The distribution 
of X, which we denote as Px, is given by Px{x) = Pr[A = x] = Pr[{u; G £1 : A(w) = 
x}]. The joint distribution of two (or more) random variables X and Y is denoted by 
Pxy, i-e., Pxy(x,u) = Pr[A = x AY = y]. Specifically, we write Ux for the uniform 
probability distribution over X. Usually, we leave the probability space (0,Pr) implicit, 
and understand random variables to be defined by their joint distribution, or by some 
"experiment" that uniquely determines their joint distribution. 

Random variables X and Y are independent if Pxy = PxPy (which should be under- 
stood as Pxy(x,u) = Px{x)Py{y) Vx G X,y G y). The random variables A, Y and Z 
form a (first-order) Markov chain, denoted by X H 7 f> Z, if Pxz\Y = Px\yPz\Y ■ The 
statistical distance (also knows as variational distance) between distributions Px and Py 
is written as SD(Px , Py) '■= h\\Px ~ Py\\i- 

The bias of a binary random variable A is defined as bias(A) := Py(0) — Px(l)|- 
This also naturally defines the bias of A conditioned on an event £ as bias(A|£) := 
-P.X"|£(0) — Pxiefi) ■ The bias thus ranges between and 1 and can be understood as a 
degree of predictability of a bit: if the bias is small then the bit is close to random, and 
if the bias is large (i.e. approaches 1) then the bit has essentially no uncertainty. For a 
sum of two independent binary random variables X\ and A2, the bias of the sum is the 
product of the individual biases, i.e. bias(Ai © A2) = bias(Ai)bias(A2). 

Theorem 1 (Diaconis and Shahshahani's Information-Theoretic XOR Lemma). Let X 

be a random variable over X := {0, l} n with distribution Px- Then, the following holds, 



SD(Px,U x )<^[ bias(/-A) 5 
/e{o,i}«\{o«} 



The original version of Theorem [T] appeared in [Dia88], where it is expressed in the language 
of representation theory. The version above is due to |NN93j . 

Theorem 2 (Hoeffding's Inequality). Let X\,X<i, ■ ■ ■ ,X n be independent binary random 
variables, each distributed according to the Bernoulli distribution with parameter fi, and 
let X := n- 1 A;. Then for < t < 1 - fj, 



Pr[A -fi>t]< exp(-2nt 



2\ 



For a proof, the reader is referred to |Hoe63j . 

2.3 Quantum Systems and States 

We assume that the reader is familiar with the basic concepts of quantum information 
theory; the main purpose of this section is to fix some terminology and notation. A 
quantum system A is associated with a complex Hilbert space, % = C d , its state space. 
By default, we write ~Ka for the state space of system A, and pa (respectively \^pa) in case 
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of a pure state) for the state of A. We write T>(H) for the set of all density matrices on 
HUbert space H. 

The state space of a bipartite quantum system AB, consisting of two (or more) sub- 
systems, is given by Hab = Ha ®Hb- If the state of AB is given by pab then the 
state of subsystem A, when treated as a stand-alone system, is given by the partial trace 
PA = tTsiPAB), and correspondingly for B. Measuring a system A in basis {\i}}i e i, where 
{\i)}i£i is an orthonormal basis of Ha, means applying the measurement described by the 
projectors {|i)(i|}j g /, such that outcome i G / is observed with probability pi = tv(\i)(i\pA) 
(respectively p. t = \ (i\ if a ) | 2 in case of a pure state) . If A is a subsystem of a bipartite system 
AB, then it means applying the measurement described by the projectors {\i)(i\ <S>lB}i£i, 
where Ig is the identity operator on Hb- 

A qubit is a quantum system A with state space Ha = C 2 . The computational basis 
{|0), |1)} (for a qubit) is given by |0) = (J) and |1) = (^), and the Hadamard basis by 
{H\0) , H\l)}, where H denotes the 2-dimensional Hadamard matrix H = -^( \ _\)- We 
also call the computational basis the plus basis and associate it with the '+'-symbol, and 
we call the Hadamard basis the times basis and associate it with the 'x '-symbol. For 
bit vectors x = {x\, . . . ,x n ) G {0, l} n and v = (v±, . . . ,v n ) G {+, x} n we then write 
\x) v = \x\) Vi <gi • • • <g) \x n ) Vn where \xi) + := \xi) and \xi) x := H\xi). 

Subsystem X of a bipartite quantum system XE is called classical, if the state of XE 
is given by a density matrix of the form 

PXE = p x(x)\x)(x\ ® p% , 

x&X 

where X is a finite set of cardinality \X\ = dim(%x)> Px '■ X — > [0,1] is a probability 
distribution, {|x)} x6 ^' is some fixed orthonormal basis of Hx-, and p x E is a density matrix 
cm He for every x G X . Such a state, called hybrid or cq- (for classical- guantum) state, 
can equivalently be understood as consisting of a random variable X with distribution Px , 
taking on values in X, and a system E that is in state p x E exactly when X takes on the 
value x. This formalism naturally extends to two (or more) classical systems X, Y etc. 
For any event £ (defined by P^\x{x) = Pr[£|X = x] for all x), we may write 

Pxe\s ■= Yl p x\e\x)(x\ ® p x e- 

X 

If the state of XE satisfies pxE = Px ® Pe, where px = ^e(pxe) = Px{x)\x)(x\ and 
Pe = ^x(pxe) = ^2 X Px(x)p%, then X is independent of E, and thus no information on 
X can be obtained from system E. Moreover, if pxE = ppylx ® Pe, where Ix denotes 
the identity on Hx, then X is random- and-independent of E. We also want to be able to 
express that a random variable X is (close) to being independent of a quantum system E 
when given a random variable Y. Formally, this is expressed by saying that pxye equals 
px^Y^E, where 

px^y^e ■= ^2PxY(x,y)\x)( x \ ® \y)(y\ ® p\- 

This notion, called conditional independence, for the quantum setting was introduced in 
[DFSS07] . 

For a matrix p, the trace norm is defined as \\p\\i := tv-^pp*, where p* denotes the 
Hermitian transpose of p. 

Definition 3. The trace distance between two density matrices p,a G T>(H) is defined as 
5(p,a) := |||p-a||i. 
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If two states p and a are e-close in trace distance, i.e. ~~ ^lli ^ e > we use P ~e o~ 
as shorthand. In case of classical states, the trace distance coincides with the statistical 
distance. Moreover, the trace distance between two states cannot increase when applying 
the same quantum operation (i.e., CPTP map) to both states. As a consequence, if p ~ e a 
then the states cannot be distinguished with statistical advantage better than e. 

Definition 4. For a density matrix pxE £ T^{Hx ®He) with classical X, the distance 
to uniform of X given E is defined as 

d uni{ (X\E) := \\\pxE ~ Pu® Pe\\\, 

where Pu := gs^y lx- 

2.4 Min-Entropy and Privacy Amplification 

We make use of Renner's notion of the conditional min- entropy H min (pAB\B) of a system 
A conditioned on another system B |Ren05] . If the state pab is clear from the con- 
text, we may write H min (A\B) instead of H min (pAB\B). The formal definition is given by 
H min (pAB\B) := sup CT max{/i G R : 2~ h ■ Ia 8> o~b — PAB > 0} where the supremum is over 
all density matrices o~b on H.b- If is the trivial space C, we obtain the unconditional 
min-entropy of p A , denoted as H min (p A ), which simplifies to H min (p A ) = - log A max (pA), 
where A max (p^i) is the largest eigenvalue of pa- 
We will need the following chain rule. 

Lemma 5. For any density matrix p on T~Lxye with classical X and Y it holds that 

H min (X\YE) > H min (X\Y) - H m£LX (E) . 

The proof can be found in Appendix [Bj 

For the special case of a hybrid state pxE G T^(T~ix <8> He) with classical X, it is 
shown in [KRS09] that the conditional min-entropy of a quantum state coincides with the 
negative logarithm of the guessing probability conditional on quantum side information 

p gncss (X\E) := m&xS2P x (x)tr(M x p x E ), 

21 X 

where the latter is the probability that the party holding He guesses X correctly using 
the POVM {M x } x on He that maximizes p gU ess- Thus, 

H min (X\E) = -log Pgaess (X\E). (1) 

For random variables X and Y, W6 h.clV6 tllclt Pguess 

(X|y) simplifies to 

P S ucss(X\Y) = ^2P Y (y)p guC ss(X\Y = y) = ^iV(y) maxPx\ Y (x\y). 
y y 

Finally, we make use of Renner's privacy amplification theorem [RK05, Rcn05], as 
given below. Recall that a function g : TZ X X — > {0, 1}^ is called a universal (hash) 
function, if for the random variable R, uniformly distributed over TZ, and for any distinct 
x,yeX: Pr[g(R,x) = g(R,y)]<2- e . 
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Theorem 6 (Privacy amplification). Let pxE be a hybrid state with classical X. Let 
g : 1Z x X — > {0, 1}^ be a universal hash function, and let R be uniformly distributed over 
1Z, independent of X and E. Then K = g(R,X) satisfies 



Informally, Theorem [6] states that if X contains sufficiently more than £ bits of entropy 
when given E, then I nearly random-and-independent bits can be extracted from X. 

3 The All-But-One Entropic Uncertainty Relation 

Throughout this section, \B\, . . . ,B m } is an arbitrary but fixed family of bases for the 
state space H of a quantum system. For simplicity, we restrict our attention to an n- 
qubit system, such that % = (C 2 )® n for n G N, but our results immediately generalize 
to arbitrary quantum systems. We write the 2 n basis vectors of the j-th basis Bj as 
Bj = {\x)j : x G {0, l} n }. Let c be the maximum overlap of {B\, . . . , B m }, i.e., 



In order to obtain our entropic uncertainty relation that lower bounds the min-entropy 
of the measurement outcome for all but one measurement, we first show an uncertainty 
relation that expresses uncertainty by means of the probability measure of given sets. 

Theorem 7 (Theorem 4.18 in |Sch07| ). Let p be an arbitrary state of n qubits. For 
j G [m], let Q 3 {-) be the distribution of the outcome when p is measured in the Bj-basis, 
i.e., Q 3 {x) = (x\j p \x)j for any x G {0, l} n . Then, for any family {£ J }j g r m i of subsets 



A special case of Theorem [TJ obtained by restricting the family of bases to the specific 



choice {B + ,B X } with B+ = {\x) : x G {0, l} n } and B x = {H® n \x) : x G {0,1}"} (i.e. 



either the computational or Hadamard basis for all qubits), is an uncertainty relation 
that was proven and used in the original paper about the BQSM [DFSS05J. The proof of 
Theorem [7] goes along similar lines as the proof in the journal version of jDFSS05] for the 
special case outlined above. It is based on the norm inequality 



which holds for arbitrary orthogonal projectors A±, . . . , A m . Recall that for a linear opera- 
tor A on the complex Hilbert space T~L, the operator norm is defined as \\A\\ := sup ||^4|?/ ; )||, 
where the supremum is over all norm-1 \tp) G 7i; this is identical to \\A\\ := sup\((p\A\ijj)\, 
where the supremum is over all norm-1 \(p), \tp) G %. Furthermore, A is called an orthog- 
onal projector if A 2 = A and A* = A. The proof of this norm inequality can be found in 
Appendix [A) The proof of Theorem [7] is given here. 

Proof of Theorem^ For j G [m], we define the orthogonal projectors A 3 := Y2x€& \ x )j( x \j 
Using the spectral decomposition of p = J2 W ^w\ ! £w)( i Pw\ and the linearity of the trace, we 



^{K\RE)< l -.2-^ H ^ x \^). 



c := max{|(x|j|y)fc| : x,y G {0, l} n , 1 < j < k< m}. 



£ j C {0, l} n , it holds that 




Ai + ... + A m <l + (m-l)- max \\AjAk 



10 



have 



52 = 52 ^ Aj p) = E E^^^'i^x^d = E A -( E w^w) 

je[m] j'e[m] je[m] «> "> 



E A «^i( E Ai ) 



j'e[m] 



1 je[mj 

<l + (m-l)- max lU^II, 



where the last inequality is the norm inequality (Proposition [26] in Appendix |Aj). To 
conclude, we show that < cy/\£j\\C k \. Let us fix j / k G [m]. Note that by 

the restriction on the overlap of the family of bases {Bj} 



we have that I (x\ 



< c 



holds for all x,y G {0, 1}". Then, with the sums over x and y understood as over x G £ J 
and y G respectively, 



>k\y\k[ 

2 



Ei^hEi^ 
= E LH-toMfi*^) ^E(EIH 

x y x ^ y 

<^ 2 E(EI^)|) 2 ^ c2 I^I!^I- 



Ei^EH'I 



The third equality follows from Pythagoras, the first inequality holds by triangle inequality, 
the second inequality by the bound on |(#|j|y)fc|, and the last follows from Cauchy-Schwarz. 



This implies ||A ? '.A* : || < c^\&\ \C k \ and finishes the proof. 



□ 



In the same spirit as in (the journal version of) [DFSS05] . we reformulate above uncer- 
tainty relation in terms of a "good event" £, which occurs with reasonable probability, and 
if it occurs, the measurement outcomes have high min-entropy. The statement is obtained 
by choosing the sets C? in Theorem [7] appropriately. 

Because we now switch to entropy notation, it will be convenient to work with a 
measure of overlap between bases that is logarithmic in nature and relative to the number 
n of qubits. Hence, we define 



S :-- 



n 



logc . 



We will later see that for "good" choices of bases, 5 stays constant for growing n. 

Corollary 8. Let p be an arbitrary n-qubit state, let J be a random variable over [ml 
(with arbitrary distribution Pj), and let X be the outcome when measuring p in basis BjU 
Then, for any < e < 5/4, there exists an event £ such that 

52 Pr[S\J=j] > (m - 1) - (2m - 1) • 2" e?t 
je[m] 



and 



H min (X\J = j,£)> (-- 



for j G [m] with Pj\ £ {j) > 0. 



D I.e., Px\j(x\j) = Q-'(x), using the notation from Theorem[7| 



11 



Proof. For j £ [to] define 

S3 := {x £ {0, l} n : Q J '(x) < 2~^/ 2 -^ n } 

to be the sets of strings with small probabilities and denote by C? := S 3 their com- 
plement^!. Note that for all x £ C? , we have that Q3(x) > 2 _ ( <5 / 2 ~ e ) n and therefore 
< 2 ( s / 2 ~^ n . It follows from Theorem [7J that 

^ Q^) = (1 - <2 j (£ j )) > m - (1 + (to - 1) • 2~ en ) = (m - 1) - (m - l)2" m 

j6[m] j'e[-m] 

We define £ := {X £ 5 J A Q J {S J ) > 2~ en } to be the event that X £ S J and 
at the same time the probability that this happens is not too small. Then Pr[£| J = 
j] = Pr[X £ S3 A Q3'(S3) > 2~ en \J = j] either vanishes (if Q3(S3) < 2~ en ) or else 
equals Q j {S j ). In either case, Pr[£| J = j] > Q j {S j ) - 2~ en holds and thus the first 
claim follows by summing over j £ [m] and using the derivation above. Furthermore, 
let p = max,- Pj(j), then Pr[£] = ^2je[m] p jU) Pt [£\ j = j\ < PE j6H J = j] < 
P( m -(J2 j e{m]Q j (' Sj )- 2 ~ en )) < p(l + (2m-l)-2- m ), and Pr[5] > (l-p)-p(2m-l)-2" m 

Regarding the second claim, in case J = j, we have 

ffmJ X|.7=^) = -lo g ( S |gl) 

/ 2 -(8/2-e)n\ . . 

> - log ( Q3{sj) j = (5/2 - e)n + log(Q^ (5^)). 
As Q*( 5J ') > 2" en by definition of £, we have i? min (X| J= j, S) > (5/2 - 2e)n. □ 



3.1 Main Result and Its Proof 

We are now ready to state and prove our new all-but-one entropic uncertainty relation. 

Theorem 9. Let p be an arbitrary n-qubit state, let J be a random variable over [m] (with 
arbitrary distribution Pj), and let X be the outcome when measuring p in basis Bj. Then, 
for any < e < 6/4, there exists a random variable J' with joint distribution Pjj'x such 
that (1) J and J' are independent and (2) there exists an event ^> with Pr[^] > 1 — 2-2~ en 
such thav\ 

H miQ (X\J = j, J' = j', > (- - 2e)n - 1 
for all j,f £ [m] with j ^ / and Pjj>\a,(j,f) > 0. 

Note that, as phrased, Theorem [9] requires that J is fixed and known, and only then 
the existence of J' can be guaranteed. This is actually not necessary. By looking at the 
proof, we see that J' can be defined simultaneously in all m probability spaces Px\j=j 
with j £ [m], without having assigned a probability distribution to J yet, so that the 
resulting random variable J' we obtain by assigning an arbitrary probability distribution 
Pj to J, satisfies the claimed properties. This in particular implies that the (marginal) 
distribution of J' is fully determined by p. 

6 Here's the mnemonic: S for the strings with Small probabilities, C for Large. 

7 Instead of introducing such an event ^, we could also express the min-entropy bound by means of 
the smooth min-entropy of X given J = j and J' = f . 
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The idea of the proof of Theorem [9] is to (try to) define the random variable J' in such 
a way that the event J 7^ J' coincides with the "good event" £ from Corollary [51 It then 
follows immediately from Corollary [8] that H min (X\J = j, J' 7^ J) > (6/2 — 2e)n, which is 
already close to the actual min-entropy bound we need to prove. This approach dictates 
that if the event £ does not occur, then J' needs to coincide with J. Vice versa, if £ does 
occur, then J' needs to be different to J. However, it is a priori unclear how to choose J' 
different to J in case £ occurs. There is only one way to set J' to be equal to J, but there 
are many ways to set J' to be different to J (unless m = 2). It needs to be done in such 
a way that without conditioning on £ or its complement, J and J' are independent. 

Somewhat surprisingly, it turns out that the following does the job. To simplify this 
informal discussion, we assume that the sum of the m probabilities Pr[£ |J = j] from 
Corollary [8J equals m — 1 exactly. It then follows that the corresponding complementary 
probabilities, Pr[£|J = j] for the m different choices of j £ [m], add up to 1 and thus 
form a probability distribution. J' is now chosen, in the above spirit depending on the 
event £, so that its marginal distribution Pji coincides with this probability distribution: 
Pj'(j') = P r [£\J = j'] f° r an j' ^ [ m ]- Thus, in case the event £ occurs, J' is chosen 
according to this distribution but conditioned on being different to the value j, taken on 
by J. The technical details, and how to massage the argument in case the sum of the 
Pr[£| J=j]'s is not exactly m — 1, are worked out in the proof below. 

Proof of Theorem^ From Corollary [5] we know that for any < e < 5/4, there exists an 
event £ such that X^je[m] P r [£|<-^ = j] = m — 1 — a, and thus X^jefm] P r [£|<^ = j] = 1 + ck, 
for —1 < a < (2m — l)2 _en . We make a case distinction between a = 0, a > and a < 0; 
we start with the case a = 0, we subsequently prove the other two cases by reducing them 
to the case a = by "inflating" and "deflating" the event £ appropriately. The approach 
for the case a = is to define J' in such way that £ <^=^> J 7^ J', i.e., the event J 7^ J' 
coincides with the event £. The min-entropy bound from Corollary [8J then immediately 
translates to H min (X\J = j,J' / J) > (5/2 - 2e)n, and to H min (X\J = j,J' = f) > 
(5/2 — 2e)n for j' 7^ j with Pjj>(j,j') > 0, as we will show. What is not obvious about 
the approach is how to define J 1 when it is supposed to be different from J, i.e., when the 
event £ occurs, so that in the end J and J' are independent. 

Formally, we define J' by means of the following conditional probability distributions: 



f 1 if j = f 

p j'\jxe(f\j^ x ) : = j ifj/y and P JVxs(f\j, x ) ■= < 



if j=f 



Pr[£|J 



Pr[£\J = j] 



We assume for the moment that the denominator in the latter expression does not vanish 
for any j; we take care of the case where it does later. Trivially, Pj/\jxe ls a P ro P er 
distribution, with non-negative probabilities that add up to 1, and the same holds for 

Pj'\JX£- 

2^ ^J'\JX£ - ^J'\JX£ - p T \£\J = j] ~ 

j'e[m] j'e[m]\{j} j'e[m]\{j} 1 1 JS 

where we used that J2je[ m ] P r [^l^ = j] = 1 (because a = 0) in the last equality. Fur- 
thermore, it follows immediately from the definition of J' that £ =^ J = J' and 
£ J 7^ J' . Hence, £ <J=^> J 7^ J' , and thus the bound from Corollary [8] translates 

to H min (X\ J = j, J' / J) > (5/2 — 2e)n. It remains to argue that J' is independent of J, 
and that the bound also holds for H min (X\ J = j, J' = j') whenever j 7^ f . 
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The latter follows immediately from the fact that conditioned on J / J' (which is 
equivalent to £ ), X, J and J' form a Markov chain X J J' , and thus, given J = j, 
additionally conditioning on J' = f does not change the distribution of X. For the 
independence of J and J', consider the joint probability distribution of J and J' , given by 

PjJ'tiJ') = Pj'Js(j',j) + PjijsU'J) 

= Pj(j)Pr[£\J = j]Pj V£ (j'\j) + Pj(j)Pr[£\J = j l' r .,,■(/ j) 

= Pj(j)Pv[£\J = j'}, 

where the last equality follows by separately analyzing the cases j = j' and j ^ f . It 
follows immediately that the marginal distribution of J' is Pj'(j') = Y2j PjJ'Uif) = 
Pr[£ | J = j'], and thus Pjj, = Pj ■ Pj>. 

What is left to do for the case a = is to deal with the case where there exists j* 
with Pr[£| J = j*] = 0. Since £ ie[m] Pr[£\J = j] = 1, it holds that Pr[£ | J = j] = for 
j 7^ j*. This motivates to define J' as J' := j* with probability 1. Note that this definition 
directly implies that J' is independent from J. Furthermore, by the above observations: 
£ <?=^ J / J' . This concludes the case a = 0. 

Next, we consider the case a > 0. The idea is to "inflate" the event £ so that a 
becomes 0, i.e., to define an event £' that contains £ (meaning that £ =^ £') so that 
SjeM P r [£'l^ = j] = m — 1, and to define J' as in the case a = (but now using £'). 
Formally, we define £' as the disjoint union £' = £ V £ of £ and an event £ a . The event 
£ is defined by means of Pr[£ D |£, J = j, X = x] = 0, so that <? and £ are indeed disjoint, 
and Pr[£ D | J = j, X = x] = a/m, so that indeed 

Pt[€'\J = j]= ^2 (Pr[£\J = j] + Pv[£ \J = j]) = (m - 1 - a) + a = m - 1 . 

je[m] jeM 

We can now apply the analysis of the case a = to conclude the existence of J' , 
independent of J, such that J ^ J' <J=^ £' and thus ( J ^ J') A £ <^=^ £' A £ <^=^ £ • 
Setting ^ := £ , it follows that 

H miQ (X\J = j,J? J', VP) = tf min (X| J = j,f ) > (5/2 - 2e)n , 

where Pr[*] = 1 - Pr[£ D ] = 1 - a/m > 1 - (2m - l)2- €U /m > 1 - 2 • 2" m . Finally, 
using similar reasoning as in the case a = 0, it follows that the same bound holds for 
H min (X\J = j, J' = j' , \F) whenever j ^ j' . This concludes the case a > 0. 

Finally, we consider the case a < 0. The approach is the same as above, but now £' is 
obtained by "deflating" £. Specifically, we define £' by means of Pr[£'\£, J = j, X = x] = 
Pr[£'\£] = 0, so that £' is contained in £, and Pr[£'\£, J = j,X = x] = Pr[£'\£] = X-i-a ■ 
so that 

Y, Pr [£V = J] = E • Pr ^l J =3]=m-l. 

je[m] je[m] 

Again, from the a = case we obtain J', independent of J, such that the event J ^ J 1 is 
equivalent to the event 
It follows that 

H min (X\J =j,Jjk J') = H min (X\J = j, £') = H min (X\J = j,£',£) 
> H mhl (X\J = j,£) - \og(P[£'\£, J = j]) > (5/2 - 2e)n - 1 , 
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where the second equality holds because £' ==> £, the first inequality holds because 
additionally conditioning on £' increases the probabilities of X conditioned on J = j and 
£ by at most a factor 1/P[£'\£, J = j]), and the last inequality holds by Corollary [8]) 
and because P[£'\£ , J = j]) = m "7- a > ^, where the latter holds since a > — 1. Finally, 
using similar reasoning as in the previous cases, it follows that the same bound holds for 
H min (X\ J = j, J' = j') whenever j ^ j' . This concludes the proof. □ 

3.2 Constructing Good Families of Bases 

Here, we discuss some interesting choices for the family {Si, . . . ,£> m } of bases. We say 
that such a family is "good" if 5 = — Mog(c 2 ) converges to a strictly positive constant 
as n tends to infinity. There are various ways to construct such families. For example, 
a family obtained through sampling according to the Haar measure will be good with 
overwhelming probability (a precise statement, in which "good" means 5 = 0.9, can be 
found at the very end of the proof of Theorem 2.5 of [FHSllj ). The best possible constant 
5 = 1 is achieved for a family of mutually unbiased bases. However, for arbitrary quantum 
systems (i.e., not necessarily multi-qubit systems) it is not well understood how large such 
a family may be, beyond that its size cannot exceed the dimension plus 1. 

In the upcoming section, we will use the following simple and well-known construction. 
For an arbitrary binary code C C { + , x} n of size m, minimum distance d and encoding 
function c : [m] — > C, we can construct a family {B\, . . . ,B m } of bases as follows. We 
identify the jth codeword, i.e. c(j) = (ci, . . . , c n ) for j G [m], with the basis Bj = {\x) c r^ : 
x G {0, 1}™} = {(H Cl ®- ■ -®H Cn )\x) : x G {0, 1}™}. In other words, Bj measures qubit-wise 
in the computational or the Hadamard basis, depending on the corresponding coordinate 
of c(j). It is easy to see that the maximum overlap c of the family obtained this way 
is directly related to the minimum distance of C, namely 5 = — ^log(c 2 ) coincides with 
the relative minimal distance d/n of C. Hence, choosing an asymptotically good code 
immediately yields a good family of bases. 

4 Application: A New Quantum Identification Scheme 

Our main application of the new uncertainty relation is in proving security of a new 
identification scheme in the quantum setting. The goal of (password-based) identification 
is to "prove" knowledge of a password w (or some other low-entropy key, like a PIN) 
without giving w away. More formally, given a user U and a server S that hold a pre- 
agreed password w G W, U wants to convince S that he indeed knows w, but in such 
a way that he gives away as little information on w as possible in case he is actually 
interacting with a dishonest server S*. 

In [DFSS07] , Damgard et al. showed the existence of a secure identification scheme in 
the bounded- quantum- storage model. The scheme involves the communication of qubits, 
and is secure against an arbitrary dishonest server S that has limited quantum storage 
capabilities and can only store a certain fraction of the communicated qubits, whereas the 
security against a dishonest user U* holds unconditionally. 

On the negative side, it is known that without any restriction on (one of) the dishonest 
participants, secure identification is impossible (even in the quantum setting). Indeed, if 
a quantum scheme is unconditionally secure against a dishonest user, then unavoidably 
it can be broken by a dishonest server with unbounded quantum-storage and unbounded 
quantum-computing power; this follows essentially from |Lo97j (see also [DFSS07] ). Thus, 
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the best one can hope for (for a scheme that is unconditionally secure against a dishonest 
user) is that in order to break it, unbounded quantum storage and unbounded quantum- 
computing power is necessary for the dishonest server. This is not the case for the scheme 
of [DFSS07] : storing all the communicated qubits as they are, and measuring them qubit- 
wise in one or the other basis at the end, completely breaks the scheme. Thus, no quantum 
computing power at all is necessary to break the scheme, only sufficient quantum storage. 

In this section, we propose a new identification scheme, which can be regarded as a 
first step towards closing the above gap. Like the scheme from |DFSS07] . our new scheme 
is secure against an unbounded dishonest user and against a dishonest server with limited 
quantum storage capabilities. The new uncertainty relation forms the main ingredient 
in the user-security proof in the BQSM. Furthermore, and in contrast to [DFSS07 , a 
minimal amount of quantum computation power is necessary to break the scheme, beyond 
sufficient quantum storage. Indeed, next to the security against a dishonest server with 
bounded quantum storage, we also prove — in Section[5] — security against a dishonest server 
that can store all the communicated qubits, but is restricted to measure them qubit-wise 
(in arbitrary qubit bases) at the end of the protocol execution. Thus, beyond sufficient 
quantum storage, quantum computation that involves pairs of qubits is necessary (and in 
fact sufficient) to break the new scheme. 

Restricting the dishonest server to qubit-wise measurements may look restrictive; how- 
ever, we stress that in order to break the scheme, the dishonest server needs to store 
many qubits and perform quantum operations on them that go beyond single-qubit oper- 
ations; this may indeed be considerably more challenging than storing many qubits and 
measuring them qubit-wise. Furthermore, it turns out that proving security against such 
a dishonest server that is restricted to qubit-wise measurements is already challenging; 
indeed, standard techniques do not seem applicable here. Therefore, handling a dishonest 
server that can, say, act on blocks of qubits, must be left to future research. 

4.1 Security Definitions 

We first formalize the security properties we want to achieve. We borrow the definitions 
from [DFSS07], which are argued to be "the right ones" in |FS09j . 

Definition 10 (Correctness). An identification protocol is said to be e-correct if, after 
an execution by honest U and honest S, S accepts with probability 1 — e. 

Definition 11 (User security). An identification protocol for two parties U, S is e-secure 
for the user U against (dishonest) server S* if the following holds: If the initial state of S* 
is independent of W, then its state E after execution of the protocol is such that there 
exists a random variable W that is independent of W and such that 

PWW'E\W£W ~s PW++W'++E\W^W- 

Definition 12 (Server security). An identification protocol for two parties U, S is e-secure 
for the server S against (dishonest) user U* if the following holds: whenever the initial 
state of U* is independent of W, then there exists a random variable W (possibly _L) 
that is independent of W such that if W ^ W' then S accepts with probability at most 
e. Furthermore, the common state pwe after execution of the protocol (including S's 
announcement to accept or reject) satisfies 

PWW'E\W^W ~e PW++W'++E\W^W- 
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We will prove the user-security of the protocol in two different models, in which dif- 
ferent assumptions are made. Because these assumptions are in some sense "orthogonal" , 
the hope is that if security would break down in one model to a failing assumption, the 
protocol is still secure by the other model. 

4.2 Description of the New Quantum Identification 
Scheme 

Let C C {+, x} n be a binary code with minimum distance d, and let c : W — > C be its 
encoding function. Let m := |W|, and typically, m < 2 n . Let J- be the class of all linear 
functions from {0, l} n to {0, 1}^, where £ < n, represented as I x n binary matrices. It is 
well-known that this class is two-universal. Furthermore, let Q be a strongly two-universal 
class of hash functions from W to {0, \\ l . Protocol Q-ID is shown below. 

Protocol Q-ID 

1. U picks x G {0, l} n independently and uniformly at random and sends \x) c ^ to S. 

2. S measures in basis c(w). Let x' be the outcome. 

3. U picks f & J- independently and uniformly at random and sends it to S 

4. S picks g € Q independently and uniformly at random and sends it to U 

5. U computes and sends z := f(x) © g{w) to S 

6. S accepts if and only if z = z' where z' := f(x') © g(w) 



Our scheme is quite similar to the scheme in [DFSS07] . The difference is that in our 
scheme, both parties, U and S, use c(w) as basis for preparing/measuring the qubits in step 
(1) and (2), whereas in [DFSS07] . only S uses c(w) and U uses a random basis 9 £ {+, x} n 
instead, and then U communicates 9 to S and all the positions where 6 and c(w) differ are 
dismissed. Thus, in some sense, our new scheme is more natural since why should U use 
a random basis when he knows the right basis (i.e., the one that S uses)? In |DFSS07] . 
using a random basis (for U) was crucial for their proof technique, which is based on an 
entropic uncertainty relation of a certain form, which asks for a random basis. However, 
using a random basis, which then needs to be announced, renders the scheme insecure 
against a dishonest server S* that is capable of storing all the communicated qubits and 
then measure them in the right basis once it has been announced. Our new uncertainty 
relation applies to the case where an n-qubit state is measured in a basis that is sampled 
from a code C, and thus is applicable to the new scheme where U uses basis c(w) € C. 
Since this basis is common knowledge (to the honest participants), it does not have to 
be communicated, and as such a straightforward store-and-then-measure attack as above 
does not apply. 

A downside of our scheme is that security only holds in case of a perfect quantum 
source, which emits exactly one qubit when triggered. Indeed, a multi-photon emission 
enables a dishonest server S* to learn information on the basis used, and thus gives away 
information on the password w in our scheme. As such, our scheme is currently mainly of 
theoretical interest. 

It is straightforward to verify that (in the ideal setting with perfect sources, no noise, 
etc.) Q-ID satisfies the correctness property (Definition [T0|) perfectly, i.e. e = 0. In the 
remaining sections, we prove (unconditional) security against a dishonest user, and we 
prove security against two kinds of restricted dishonest servers. First, against a dishonest 
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server that has limited quantum storage capabilities, and then against a dishonest server 
that can store an unbounded number of qubits, but can only store and measure them 
qubit-wise. 

4.3 (Unconditional) Server Security 

First, we claim security of Q-ID against an arbitrary dishonest user U* (that is merely 
restricted by the laws of quantum mechanics). 

Theorem 13. Q-ID is e-secure for the server with e = (™)2~ e . 

Proof. Clearly, from the steps (1) to (5) in the protocol Q-ID, U* learns no information 
on W at all. The only information he may learn is by observing whether S accepts or not 
in step (6). Therefore, in order to prove server security, it suffices to show the existence 
of a random variable W' , independent of W, with the property that S rejects whenever 
W 7^ W (except with probability ^m(m — 1)2 ). 

We may assume that W = {1, ...,m}. Let pwx'FGZE be the state describing the 
password W, the variables X',F,G and Z occurring in the protocol from the server's 
point of view, and U*'s quantum state E before observing S's decision to accept or reject. 
For any w G W, consider the state Px'fgze := Px'FGZE\w=w Note that the reduced 
state P^fqze ls same for any w G W; this follows from the assumption that U*'s initial 
state is independent of W and because F, G and Z are produced independently of W. We 
may thus write Px'fgze as Px^fgze, and we can "glue together" the states Px' w fgze for 
all choices of w. This means, there exists a state Px' ■■■X' m FGZEyE m that correctly reduces 
to Px' w fgze w = Px' w fgze for any w G W, and conditioned on FGZ, we have that X[Ei 
is independent of X'-Ej for any i ^ j G W. It is easy to see that for any i ^ j G W, G is 
independent of X[,X'- and F. Therefore, by the strong two-universality of G, for any i ^ j 
it holds that Z[ ^ Z'- except with probability 2~ e , where Z' w = FX' W + G(w) for any w. 
Therefore, by the union bound, Z[, . . . , Z' m are pairwise distinct and thus Z can coincide 
with at most one of the Z' w 's, except with probability e = ^m(m—l)2~ i . Let W' be defined 
such that Z = Z' w ,; if there is no such Z' w then we let W' = _L, and if there are more than 
one then we let it be the first. Recall, the latter can happen with probability at most e. 
We now extend the state Px' 1 -X' m FGZWE 1 -E m by W, chosen independently according to 
Pw- Clearly W' is independent of W. Furthermore, except with probability at most e, if 
W + W then Z ^ Z' w . Finally note that Px' w fgzwwe w is such that P X ' w fgzwe w = 

Hw P w{w)px' w FGZE w ® \w)(w\ = Ylw P w(w)Px>FGZE® \ w )( w \ = PX'FGZWE- Thus, also 

with respect to the state px'FGZWE there exist W', independent of W, such that if 
W 1 W then Z ^ Z' except with probability at most e. This was to be shown. □ 

4.4 User Security in the Bounded-Quantum-Storage Model 

Next, we consider a dishonest server S*, and first prove security of Q-ID in the bounded- 
quantum- storage model. In this model, as introduced in jDFSS05] . it is assumed that the 
adversary (here S*) cannot store more than a fixed number of qubits, say q. The security 
proof of Q-ID in the bounded-quantum-storage model is very similar to the corresponding 
proof in [DFSS07J for their scheme, except that we use the new uncertainty relation from 
Section [3l Furthermore, since our uncertainty relation (Theorem [9]) already guarantees 
the existence of the random variable W as required by the security property, no entropy- 
splitting as in [DFSS07] is needed. 
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In the following, let 5 := d/n, i.e. the relative minimum distance of C. 

Theorem 14. Let S* be a dishonest server whose quantum memory is at most q qubits 
at step 3 of Q-ID. Then, for any < K < 8 /A, Q-ID is e-secure for the user with 

£ — 2~ f (W 2_ 2fc)n— 1— q— I) _|_ ^ _ ^— Kn 

Proof. We consider and analyze a purified version of Q-ID where in step (1) instead of 
sending \X) C to S* for a uniformly distributed X, U prepares a fully entangled state 
2~n/2 ^ \ x)\x) and sends the second register to S* while keeping the first. Then, in step 
(3) when the memory bound has applied, U measures his register in the basis c(W) in 
order to obtain X. Note that this procedure produces exactly the same common state 
as in the original (non-purified) version of Q-ID. Thus, we may just as well analyze this 
purified version. 

The state of S* consists of his initial state and his part of the EPR pairs, and may 
include an additional ancilla register. Before the memory bound applies, S* may perform 
any unitary transformation on his composite system. When the memory bound is applied 
(just before step (3) is executed in Q-ID), S* has to measure all but q qubits of his system. 
Let the classical outcome of this measurement be denoted by y, and let E' be the remaining 
quantum state of at most q qubits. The common state has collapsed to a (n + g)-qubit 
state and depends on y; the analysis below holds for any y. Next, U measures his n- 
qubit part of the common state in basis c(W); let X denote the classical outcome of this 
measurement. By our new uncertainty relation (Theorem [9]) and subsequently applying 
the min-entropy chain rule that is given in Lemma [5] (to take the q stored qubits into 
account) it follows that there exists W , independent of W, and an event ^ that occurs 
at least with probability 1 — 2 • 2~ Kn , such that 

H min (X\E', W = w,W' = it/, *) > {5/2 - 2k)u - 1 - q. 

for any w, w' such that w ^ w' . Because U chooses F independently at random from a 
2-universal family, privacy amplification guarantees that 

d unii (F(X)\E'F, W = w,W = w') <^:=\- 2 -|((< 5 /2-2 K )n-i- g -£) + 2 . 2 -™ 

for any w,w' such that w ^ w' . Recall that Z = F(X) © G(W). By security of the 
one-time pad it follows that 

d uni{ (Z\E'FG, W = w,W = w') < e', (2) 

for any w, w' such that w ^ w' . To prove the claim, we need to bound, 

8(PWW'E\W^W'i PW++W'++E\W^W') 

= \\\PWW'E'FGZ\W^W - PW^W'^E'FGZ\W^W'\\l 
< \\\PWW E' FGZ\W^W ~ PWW'E'FG\W^W ® 2 

+ ^\\PWW'E'FG\W^W ® 2 I — Pw*rtW'^E'FGZ\W^W'\\l (3) 

where the equality follows by definition of trace distance (Definition [3]) and the fact that 
the output state E is obtained by applying a unitary transformation to the set of registers 
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(E' , F, G, W', Z). The inequality is the triangle inequality; in the remainder of the proof, 
we will show that both terms in ([3]) are upper bounded by e' . 

\\\PWW E' FGZ\W^W - PWW'E'FG\W^W ® 2 I||i 

= ^ Pww'\w^w'( w > w ') d uni {(Z\E'FG, W = w,W' = w 1 ) < e', 

where the latter inequality follows from ([2]). For the other term, we reason as follows: 

\\\PWW E' FG\W^W <8> 2 £ I — Pw^W'^E'FGZ\W^W'\\l 

1 \ D t l\ II w,w' „ n—l-n w' || 

~2 ^WW'\W^W'{ w i w ) \\Pe'FG\W^W ® 1 l ~ PE'FGZ\W^W'U 

= \ ^2 PwW'\W^W'( w ' w ') \\Pe''FG\W^W ® 2 ^ 

E D / //| /\ w",w' || 

^w\w,w^w'[w \w )p E , FGZ ^ w _ tw ,\\i 

w" 
s.t. w"^w' 

s.t. wfw 

'FGZ\W^W Z_^i P W\W',W^W'( w \ w ')\\l 

w" w 
s.t. w"+w' s -t- 

1 \ r rj / /\ || W,V}' „ r) — ^TT 10, Ml' || 

— 2 / , ^ww\w±w\ w i w ) \\PE'Fn\w^w ® £ 1 ~ Pe'fgz^^w'W 1 
= X P ww >\ Wj L W <(w,w')d mdi (Z\E'FG, W = w,W' = w) < e' , 

w^w' 

where the first equality follows by definition of conditional independence and by a basic 
property of the trace distance; the third and fourth equality follow by linearity of the trace 
distance. The inequality on the last line follows from ([2]). This proves the claim. □ 



5 User Security in the Single-Qubit-Operations Model 

We now consider a dishonest server S* that can store an unbounded number of qubits. 
Clearly, against such a S*, Theorem Q31 provides no security guarantee anymore. We 
show here that there is still some level of security left. Specifically, we show that Q-ID 
is still secure against a dishonest server S* that can reliably store all the communicated 
qubits and measure them qubit-wise and non-adaptively at the end of the protocol. This 
feature distinguishes our identification protocol from the protocol from [DFSS07 , which 
completely breaks down against such an attack. 

5.1 The Model 

Formally, a dishonest server S* in the SQOM is modeled as follows. 

1. S* may reliably store the n-qubit state \x) c r w ^ = |^i) c (tu)i ® • • • <8> \xn)c(w) n received 
in step (1) of Q-ID. 
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2. At the end of the protocol, in step (5), S* chooses an arbitrary sequence 9 = 
(01, ... , 9 n ), where each 6i describes an arbitrary orthonormal basis of C 2 , and mea- 
sures each qubit \xi) c ^. in basis 6i to observe Yi € {0, 1}. Hence, we assume that 
S* measures all qubits at the end of the protocol. 

3. The choice of 9 may depend on all the classical information gathered during the 
execution of the protocol, but we assume a non- adaptive setting where 9{ does not 
depend on Yj for i ^ j, i.e., S* has to choose 9 entirely before performing any 
measurement. 

Considering complete projective measurements acting on individual qubits, rather than 
general single-qubit POVMs, may be considered a restriction of our model. Nonetheless, 
general POVM measurements can always be described by projective measurements on a 
bigger system. In this sense, restricting to projective measurements is consistent with the 
requirement of single-qubit operations. It seems non-trivial to extend our security proof 
to general single-qubit POVMs. 

The restriction to non-adaptive measurements (item 3) is rather strong, even though 
the protocol from [DFSS07] already breaks down in this non-adaptive setting. The restric- 
tion was introduced as a stepping stone towards proving the adaptive case. Up to now, 
we have unfortunately not yet succeeded in doing so, hence we leave the adaptive case for 
future research. 

We also leave for future research the case of a less restricted dishonest server S* that 
can do measurements on blocks that are less stringently bounded in size. Whereas the 
adaptive versus non-adaptive issue appears to be a proof-technical problem (Q-ID looks 
secure also against an adaptive S*), allowing measurements on larger blocks will require 
a new protocol, since Q-ID becomes insecure when S* can do measurements on blocks of 
size 2, as we show in Section [531 

5.2 No Privacy Amplification 

One might expect that proving security of Q-ID in the SQOM, i.e., against a dishonest 
server S* that is restricted to single-qubit operations should be straightforward, but actu- 
ally the opposite is true, for the following reason. Even though it is not hard to show that 
after his measurements, S* has lower bounded uncertainty in x (except if he was able to 
guess w), it is not clear how to conclude that f(x) is close to random so that z does not 
reveal a significant amount of information about w. The reason is that standard privacy 
amplification fails to apply here. Indeed, the model allows S* to postpone the measure- 
ment of all qubits to step (5) of the protocol. The hash function /, however, is chosen 
and sent already in step (3). This means that S* can choose his measurements in step 
(5) depending on /. As a consequence, the distribution of x from the point of view of S* 
may depend on the choice of the hash function /, in which case the privacy-amplification 
theorem does not give any guarantees. 

5.3 Single-Qubit Measurements 

Consider an arbitrary sequence 9 = {9\, . . . ,9 n ) where each 9i describes an orthonormal 
basis of C 2 . Let \tp) be an n-qubit system of the form 

= |x) fe = if fel |xi>®---®i/ 6 "|z„>, 
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where x and b are arbitrary in {0, l} n . Measuring \ip) qubit-wise in basis 9 results in a 
measurement outcome Y = (Y\, . . . ,Y n ) G {0, l} n . Suppose that x, b and 9 are in fact 
realizations of the random variables X, B and respectively. It follows immediately from 
the product structure of the state that 

n 

PY\xBe{y\x,b,e) =Y[PY i \x i B i e i (yi\xi,bi,e i ), 

i=0 

i.e. the random variables Yi are statistically independent conditioned on arbitrary fixed 
values for Xj, B{ and 0j but such that PxiBiOi(xi,bi,9i) > 0. 

Lemma 15. The distribution PYAXiBiBiiViWii^ii^i) exhibits the following symmetries: 

PY^XiBiQii^MiQi) = PY^XiBiQii^M^i) 

and 

p Yi]XiBie .(o\i,bi,ei) = p Y . lXiB . ei (i\o,bi,Qi) 

for all i G [n], for all bi and 9{ with PxiBiQi{£,, bi,9i) > for all £ € {0, 1}. 

The proof can found in Appendix O The symmetry characterized in Lemma [TS] coin- 
cides with that of the binary symmetric channel, i.e. we can view Y as a "noisy version" 
of X, where this noise — produced by the measurement — is independent of X. 

Formally, we can write Y as 

Y = X®A, (4) 

where the random variable A = (Ai, . . . , A n ) G {0, l} n thus represents the error between 
the random variable X G {0, l} n that is "encoded" in the quantum state and the mea- 
surement outcome Y G {0, l} n . By substituting in Lemma \15\ we get the following 
corollary. 

Corollary 16 (Independence Between A and X). For every i G [n] it holds that 

PAi\XiBiei(fii\ x i>bi,0i) = ■f > A i |B i e i ( < 5i|&i)0i) 

for all Si G {0, 1} and for all X{, bi and 9i such that PxiBiBi( x i: &i) > 0. 

Furthermore, since the random variables Yi are statistically independent conditioned 
on fixed values for Xj, Bi and 0j, it follows that the Aj are statistically independent 
conditioned on fixed values for Bi and 0j. 

Definition 17 (Quantized Basis). For any orthonormal basis 9i = {|t>i), |t>2)} on C 2 , we 
define the quantized basis of 9i as 

9i := j* G {0,1}, where j* G argmax max \(vk \ H 3 \ 0) | . 

je{o,i} fce{i,2} 

If both j G {0, 1} attain the maximum, then j* is chosen arbitrarily. The quantized basis 
of the sequence 9 = (0%, . . . , 9 n ) is naturally defined as the element-wise application of the 
above, resulting in 9 G {0, l} n . 

We will use the bias as a measure for the predictability of Aj. 
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Theorem 18. When measuring the qubit H bi \xi) for any Xi,b{ G {0, 1} in any orthonor- 
mal basis 9i on C 2 for which the quantized basis Bi is the complement ofbi, i.e. 9i = bi@ 1, 
then the bias of Aj G {0, 1}, where A, = Yi © %i and Yi G {0, 1} is the measurement 
outcome, is upper bounded by 

bias(Aj) < —=. 



Since the theorem holds for any x\ G {0, 1} and since Corollary 1161 guarantees that Aj 
is independent from an arbitrary random variable Xj, the theorem also applies when we 
replace Xi by the random variable Xi. 

In order to prove Theorem 1181 we need the following lemma. 

Lemma 19. If, for any orthonormal basis Bi on C 2 , there exists a bit bi G {0, 1} so that 
when measuring the qubit H bi \xi) for any Xi G {0, 1} in the basis 9{ to obtain Z{ G {0, 1} 
it holds that 

bias(Zi) > 1/V2, 

then it holds that when measuring the qubit H bi ® x \xi) in the basis 9i to obtain Yi G {0, 1}, 



bias(ij) < 1/V2. 

Proof. First note that for any Xi,b{ G {0, 1} and any orthonormal basis 9i on C 2 , measuring 
a state H bi \xi) in 9i = {\v), \w}} where \v) = a\0) + /3|1) and \w) = /3|0) — q|1) gives the 
same outcome distribution (up to permutations) as when measuring one of the basis states 
of Bi (when viewed as a quantum state), say \w), using the basis {H bi \xi), H bi \xi © 1)}. 
To see why this holds, note that it follows immediately that |(w;|-ff 6i |xj)| 2 = \ (xi\H bi \w)\ 2 . 
Furthermore, we have already shown in the proof of Lemma [T5l that 

\(v\H bi \ Xi )\ 2 = \( W \H bi \ Xi ®l)\ 2 

holds. 

Hence, we can apply Theorem [7] with p = \w){w\ (this implies that n = 1), m = 2 
and Bq and B\ are the computational and Hadamard basis respectively. The maximum 
overlap between those bases is c= l/y/2. Theorem [7| gives us that 

„{|o>,|i» , „{|+>,|-» < 1 ju J_ 



V2' 



where PmiL'' 1 ^ and Pmax respectively denote the maximum probability in the distri- 
bution obtained by measuring in the computational and Hadamard basis. By simple 
manipulations we can write this as a bound on the sum of the biases: 

^ > (2P™ 1)} - 1) + (2p£#H> - 1) 

= bias(Yj) + bias(Zj). (5) 

From this relation, the claim follows immediately. □ 

Following |Sch07j . we want to remark that both biases in ([5]) are equal to l/y/2 when 0j 
is the Breidbart basis, which is the basis that is precisely "in between" the computational 
and the Hadamard basisH 

\v) = cos(f)|0> + sin(f )|1) and \w) = sin(f )|0) - cos(f )|1). 



3 In [Sch07| . the corresponding state is called the "Hadamard-invariant state." 
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Proof of Theorem [7&1 . Let 0j = {\vo}, \vi}}. We will make a case distinction based on the 
value of 

M := max |(^|^|0)|. (6) 

fce{o,i} 

If M — cos(7r/8), then we also have that max^^i} |(i>fc|-ff < cos(7r/8) where b{ = 

Oi®l, this holds by definition of the quantized basis (Definition 1 1T|) . Then, the probability 
of obtaining outcome Yi = k* , where k* G {0, 1} achieves the maximum in Q, is bounded 
by 

P Yi (k*) = \(v k *\H h *\x t )\ 2 < cosV/8) = i + i75- 

Hence, 

bias(A 4 ) = bias(l-) = \P Yl (k*) - (1 - Py t (k*))\ = \2P Yl (k*) - 1| < j-. 

If n > cos(7r/8), then when measuring the state H 9i \xi) in 9i to obtain Zi G {0, 1}, we 
have that bias(Z,,) > 1/V2 (this follows from similar computations as performed above). 
We now invoke Lemma [191 to conclude that when measuring the state H b '\xi) in 9i to 
obtain Yi, bias(Aj) = bias(Yi) < □ 

5.4 User Security of Q-ID 

We are now ready to state and prove the security of Q-ID against a dishonest user in the 
SQOM. 

Theorem 20 (User Security). Let S* be a dishonest server with unbounded quantum 
storage that is restricted to non- adaptive single- qubit operations, as specified in Section \5.1\ 
Then, for any < /3 < \, user security (as defined in Definition [77]) holds with 

£ < i 2 ¥-\i\~P)d + (™)2 2 ^exp(-2 ( i/3 2 ) 

Note that d is typically linear in n whereas I is chosen independently of n, hence the 
expression above is negligible in d. 

To prove Theorem [20] we need the following technical lemma and corollary. Recall that 
T denotes the class of all linear functions from {0, l} n to {0, where t < n, represented 
as binary I x n matrices. 

Lemma 21. Let n, k and t be arbitrary positive integers, let < /3 < j and let I C [n] 
such that \I\ > k, and let F be uniform over T = {0, l}^ xn . Then, it holds except with 
probability 2 2 ^ exp(— 2k(3 2 ) (the probability is over the random matrix F) that 

\U®g)x\>{\-P)k V/, g G span(F) \ {0"} 

Proof. Without loss of generality, we will assume that \I\ = k. Now take arbitrary but 
non-zero vectors r, s G {0, 1}^ and let V := rF and W := sF. We will analyze the case 
r ^ s; the case r = s is similar but simpler. Because each element of F is an independent 
random bit, and r and s are non-zero and r ^ s,V and W are independent and uniformly 
distributed n-bit vectors with expected relative Hamming weight 1/2. Hence, on average 
|(V© W)x\ equals k/A. Furthermore, using Hoeffding's inequality (Theorem [2]) , we may 
conclude that 



Pr 



\-\{VQW) T \ >(3k 



Pr 



\(VQW) X \ < {\-P)k 



< exp(- 
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Finally, the claim follows by applying the union bound over the choice of r and s (each 2 
possibilities). □ 

Recall that C is a binary code with minimum distance d, c(-) its encoding function, 
and that m := \W\. 

Corollary 22. Let < /3 < \, and let F be uniformly distributed over T . Then, F has the 
following property except with probability (™)2 2i exp(— 2df3 2 ): for any string s G {0,1}™ 
(possibly depending on the choice of F), there exists at most one c G C such that for any 
code word c G C different from c, it holds that 

|/ (cffi s)\ > |(i - fid V/ G span(F) \ {0"} 

We prove the statement by arguing for two c's and showing that they must be identical. 
In the proof, we will make use of the two following propositions. 

Proposition 23. \a\ > \a b\ for all a,b G {0, l} n . 

Proof. Follows immediately. □ 

Proposition 24. \a b\ + \a c| > \a (6© c)| for all a,b,c G {0, l} n . 

Proof. \a (6 © c)| = |a 6 © a c| < |a 6| + \a c|, where the equality is the 
distributivity of the Schur product, and the inequality is the triangle inequality for the 
Hamming weight. □ 

Proof of Corollary By Lemma 1211 with X := {i G [n] : Ci ^ c'j} for c, d G C, and 
by applying the union bound over all possible pairs (c, c'), we obtain that except with 
probability (™)2 2e exp(-2d/3 2 ) (over the choice of F), it holds that 

\fQgQ(cec')\>(l-(3)d (7) 

for all /, g G span(F) \ {0 n } and all c, c' G C with c / c'. 

Now, for such an F, and for every choice of s G {0,l} n , consider ci,C2 G C and 
/l, /2 € span(F) \ {0 n } such that 

|/l©(ci©s)| < \{\-P)d and |/ 2 0(c 2 ©s)| < \{\- P)d. 

We will show that this implies c± = which proves the claim. Indeed, we can write 

(| - p)d > |/i (ex © s)\ + |/ 2 (pa © a)l 

> l/i 0/2 (ci © s)| + l/i / 2 © (c 2 © s)\ > l/i h (ci©c 2 )| 

where the second inequality is Proposition [23] applied twice and the third inequality is 
Proposition [231 This contradicts ([7|) unless c~\ = c 2 . □ 

Now we are ready to prove Theorem 1201 In the proof, when F G J- acts on an n-bit 
vector x G {0, l} n , we prefer the notation F(x) over matrix-product notation Fx^ 



9 When using matrix-product notation ambiguities could arise, e.g. in subscripts of probability distribu- 
tions like Pfx '■ then it is not clear whether this means the joint distribution of F and X or the distribution 



of F acting on X 



? 
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Proof of Theorem\2(A Consider an execution of Q-ID, with a dishonest server S* as de- 
scribed in Section 15.11 We let W, X and Z be the random variables that describe the 
values w, x and z occurring in the protocol. 

From Q-ID's description, we see that F is uniform over T . Hence, by Corollary [22] 
it will be "good" (in the sense that the bound from Corollary [22] holds) except with 
probability (™)2 2<? exp(— 2d(3 2 ). From here, we consider a fixed choice for F and condition 
on the event that it is "good," we thus book-keep the probability that F is "bad" and 
take it into account at the end of the analysis. Although we have fixed F, we will keep 
using capital notation for it, to emphasize that F is a matrix. We also fix G = g for an 
arbitrary g\ the analysis below holds for any such choice. 

Let describe the qubit-wise measurement performed by S* at the end of the execution, 
and Y the corresponding measurement outcome. By the non-adaptivity restriction and by 
the requirement in Definition [TTJ that S* is initially independent of W, we may conclude 
that, once G and F are fixed, is a function of Z. (Recall that Z = F(X) © g(W).) 

We will define W with the help of Corollary [22] Let be the quantized basis of 0, as 
defined in Definition [TT] Given a fixed value 6 for 0, and thus a fixed value 6 for 0, we set 
s, which is a variable that occurs in Corollary [22] to s = 6. Corollary [22] now guarantees 
that there exists at most one c. If c indeed exists, then we choose w' such that c(w') = c. 
Otherwise, we pick w' G W arbitrarily (any choice will do). Note that this defines the 
random variable W' , and furthermore note that Z — > — > — > W' forms a Markov chain. 
Moreover, by the choice of w' it immediately follows from Corollary [22] that for all w ^ w' 
and for all / G span(F) \ {0 n } it holds that 

\fQ{c{w)®e)\>\{\-P)d. (8) 

We will make use of this bound later in the proof. 

Since the model (Section I5.ip enforces the dishonest server to measure all qubits at 
the end of the protocol, the system E = (Y, Z, 0) is classical and hence the trace-distance- 
based user-security definition (Definition [TT]) simplifies to a bound on the statistical dis- 
tance between distributions. I.e., it is sufficient to prove that 

ST){PeW\W'=w',W'^Wi Pw\W'=w',W^W'Pe\W'=w',W^W') — e 

holds for any vJ . Consider the distribution that appears above as the first argument to 
the statistical distance, i.e. Pew\W'=w',W'^W- By substituting E = (Y,Z,Q), it factors 
as follows^! 

PYzew\w,w^w = Pw\w,w^w Pze\ww\w^w PY\zeww,w^w 

= P W \ W , )W ^L W , Pze\w,w^w Py\f(x)qww',wjw'i ( 9 ) 

where the equality Pze\ww',W^W = Pze\w,w^w holds by the following argument: Z 
is independent of W (since F(X) acts as one-time pad) and Z — > — > W' is a Markov 
chain, and S* (who computes from Z) is initially independent of W by Definition [TTl 
hence W is independent of Z, and W , which implies the above equality. The equality 
Py\z&ww',w^W' = Py\f{x)@WW ,W^W holds by the observation that given W, Z is 
uniquely determined by F(X) and vice versa. 

In the remainder of this proof we will show that 

cUif (Y\F(X) = u,e = v,W = w,W' = w') < ±2$ _ *(3-/») d , 

10 Note that we shorten notation here by omitting the parentheses containing the function arguments. 
The quantification is over all inputs for which all involved conditional probabilities are well-defined. 
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for all u,v,w such that w 7^ w' , where w' is determined by f. This then implies that the 
rightmost factor in Q is essentially independent of W, and concludes the proof. 
To simplify notation, we define £ to be the event 



for fixed but arbitrary choices u, v and w such that w 7^ w' , where w' is determined by v. 
We show closeness to the uniform distribution by using the XOR inequality from Diaconis 
et al. (Theorem [1]) , i.e., we use the inequality 



where the sum is over all a in {0, l} n \ {0 n }. We split this sum into two parts, one for 
a G span(i ? ) and one for a not in span(i ? ), and analyze the two parts separately. 

Since X is uniformly distributed, it follows that for any a ^ span(i ? ), it holds that 
P a -x\F{x){'\ u ) = \ (f° r an y u )- We conclude that 



The second equality follows since W is independent of X. The third equality holds by 
the fact that is computed from F(X) © giW) and W is determined by 0. The fourth 
equality follows by the security of the one-time pad, i.e. recall that Y = X © A, where 
by Corollary 1161 it holds that A S {0, l} n is independent of X when conditioned on fixed 
values for B = c(W) and 0. Hence, it follows that bias(a • Y\£) = for a ^ span(i ? ). 
For any non-zero a G span(i ? ), we can write 



8 := {F{X) = u, = v, W = w, W = w'} 



dunii(Y\S) < i[^Tbias(a-Y|£:) 



Q 



2 — Pa-X\F(X) — Pa-X\F(X)W ~ P a -X\F(X)BW W 

= P a -Y\F{x)eww = P a -Y\e Va ^ span(F). 



bias(a • Y\£) = bias(a • {X © A)\£) 



= bias(a • X © a ■ A\£) 

= bias(a • X\£)bias(a ■ A\£) 

< bias(a • A\£ ) 

= ] [ bias(Qj • Ai\£) 



(distributivity of dot product) 
(Corollary HD 
(bias(a • X) < 1) 

(Aj independent) 



i£[n] 



bias(A l |,f:) 



iS[n]:ai=l 



< n «-* 



(Theorem USD 



id[n\:a.i=l 



2-||a0(c(w)e^| < 2 -i(i-/3)rf 



(by ©) 



Combining the two parts, we get 




Q 






oSspan(F)\{0 n } 



Incorporating the error probability of having a "bad" F completes the proof. 



□ 
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5.5 Attack against Q-ID with Operations on Pairs of Qubits 



We present an attack with which the dishonest server S* can discard two passwords in one 
execution of Q-ID using coherent operations on pairs of qubits. 

Before discussing this attack, we first explain a straightforward strategy by which 
S* can discard one password per execution: S* chooses a candidate password w and 
measures the state H C ( W '\X) qubit-wise in the basis c(w) to obtain Y. S* then computes 
F(Y) © g(w) and compares this to Z = F(X) © g(W), which he received from the user. 
If indeed Z = F(Y) © g(w), then it is very likely that W = w, i.e. that S* guessed the 
password correctly. 

Let us now explain the attack, which is obtained by modifying the above strategy. The 
attack is based on the following observation [DFSS05] : if S* can perform Bell measure- 
ments on qubit pairs \xi) a \x2) a , for a E {0, 1}, then he can learn the parity of x\ © X2 for 
both choices of a simultaneously. This strategy can also be adapted to determine both 
parities of a pair in which the first qubit is encoded in a basis that is opposite to that of 
the second qubit, i.e. by appropriately applying a Hadamard gate prior to applying the 
Bell measurement. 

Let the first bit of Z be equal to / • X © ff(W)i@ where / E span(F) \ {0 n }. Let 
w\ and W2 be two candidate passwords. With the trick from above, S* can measure the 
positions in the set 

V := {i E [n] : fi = l, c(i&i)i = 1 © c(w 2 )i} 

pairwise (assuming \ V\ to be even) using Bell measurements, while measuring the positions 
where c(wi) and c(w2) coincide using ordinary single-qubit measurements. This allows him 
to compute both "check bits" corresponding to both passwords simultaneously, i.e. those 
check bits coincide with / • Y\ ® g{w\)\ and / • Y2 @ g(w2)i, where Y\ and Y2 are the 
outcomes that S* would have obtained if he had measured all qubits qubit-wise in either 
t(w\) or c(t&2), respectively. If both these check bits are different from the bit Z\, then S* 
can discard both w\ and ui2- 

We have seen that in the worst case, the attack is capable of discarding two passwords 
in one execution, and hence clearly violates the security definition. On average, however, 
the attack seems to discard just one password per execution, i.e. a candidate password 
cannot be discarded if its check bit is consistent with Z\, which essentially happens with 
probability 1/2. This raises the question whether the security definition is unnecessarily 
strong, because it seems that not being able to discard more than one password on average 
would be sufficient. Apart from this, it might be possible to improve the attack, e.g. 
by selecting the positions where to measure pairwise in a more clever way, as to obtain 
multiple check bits (corresponding to multiple fs in the span of F) per candidate password, 
thereby increasing the probability of discarding a wrong candidate password. 

6 Conclusion 

We view our work related to Q-ID as a first step in a promising line of research, aimed 
at achieving security in multiple models simultaneously. The main open problem in the 
context of the SQOM is to reprove our results in a more general model in which the 
dishonest server S* can choose his basis adaptively. Also, it would be interesting to see 

n By g(W)i we mean the first bit of giW). 
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whether similar results can be obtained in a model where the adversary is restricted to 
performing quantum operations on blocks of several qubits. 
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A Proof of an Operator Norm Inequality (Proposition 1261) 

We first recall some basic properties of the operator norm \\A\\ := sup ||A|^>)||, where the 
supremum is over all norm-1 vectors £7i. First of all, it is easy to see that 

max{|L4||,||B||}. 

Also, from the fact that \\A\\ = sup | (-^l^-lv 9 ) I? where the supremum is over all norm-1 
\<p) E T~L, it follows that \\A*\\ = \\A\\, where A* is the Hermitian transpose of A, and 
thus that for Hermitian matrices A and B: 

\\AB\\ = \\{AB)*\\ = \\B*A*\\ = \\BA\\ . 

Furthermore, if A is Hermitian then \\A\\ = A max (^4) := max{|Aj| : Xj an eigenvalue of ^4}. 
Finally, the operator norm is unitarily invariant, i.e., ||^4|| = ||?7.AV|| for all A and for all 
unitary U, V. 

Lemma 25. Any two n x n matrices X and Y for which the products XY and YX are 
Hermitian satisfy 

\\XY\\ = \\YX\\ 

Proof. For any two n x n matrices X and Y , XY and YX have the same eigenvalues, see 
e.g. |Bha971 Exercise 1.3.7]. Therefore, \\XY\\ = A max (X7) = A max (FJ) = ||YJ*f||. □ 
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We are now ready to state and prove the norm inequality. We recall that an orthogonal 
projector P satisfies P 2 = P and P* = P. 



Proposition 26. For orthogonal projectors A±,A 2 , ■ ■ ■ ,A m , it holds that 



\\Ai + . . . + A m \\ < 1 + (m - 1) • max llA^JI. 

l<j<k<m 

The case m = 2 was proven in [DFSS05] . adapting a technique by Kittaneh |Kit97j . 
We extend the proof to an arbitrary m. 



Proof. Defining 



X 



yields 



XY 



(A x A 2 


\0 



( Ax + A 2 + ... + A n 




V 














A m \ 


o J 

•• 0\ 
•• 

•• 0/ 



and Y 



and YX 



/A, 
A 2 

\A m 



/ At 
A 2 A X 



0\ 


0/ 



AiA 2 
A 2 



V^ m ^i A m A 2 



AiA m \ 
A 2 A m 

A m J 



The matrix YX can be additively decomposed into m matrices according to the following 
pattern 



YX 



\ 



\ 



+ 



"J 



/0 * 




V* 



\ 



* 
0/ 



+ 



+ 



* 



V 





* 0/ 



where the * stand for entries of YX and for i = 1, ... ,m the ith star-pattern after the 
diagonal pattern is obtained by i cyclic shifts of the columns of the diagonal pattern. 

XY and YX are Hermitian and thus we can apply Lemma [231 Then, by applying the 
triangle inequality, the unitary invariance of the operator norm and the facts that for all 



3 + k : \\Aj 



1, ||j4jj4fe| 



|.Afc.A 7 -||, we obtain the desired statement. 



□ 



B Proof of Lemma 

To prove Lemma [SJ we need to introduce some more tools. 

The following proposition guarantees that the "averaging property" of the guessing 
probability (which holds by definition in the classical case) still holds when additionally 
conditioning on a quantum system. 

Proposition 27. For any state pxye £ T^^}ix ® 7~Ly ®T~Le) that is classical on X and 
Y it holds that 

Pgacss {X\YE) =Y / Pr(y)Pg a e SS (X\E,Y = y). 
y 
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□ 



Proof. First, note that for any matrix M x acting on Hy <£> He, we can always write 
M x = J2yy> \y)(y'\ ® Mx' y , where Mx' y acts on He for every x,y,y' . Now, we write 

Pgucss 

(X\YE) = max 

{ x 

= max Px(x)tr(M x ^ Py\x(v\x) \vM ® P^) 

= max^P xy (x,y)tr((^|^| 0Mr)(|y)(y| ®^/)) 

x,y v,w 

= max^P xy (x, y )^( W |y)tr(M^) 

x,y v 

= max^P xy (x,y)tr(M^V^) 

= E p ^(y) f s&, E VWMW) 

= ^ J Py(y)p g uess(^|^,^ = y). 

2/ 

The following proposition is known as the chain rule for min-entropy. 

Proposition 28 ( [Ren05| ) . The following holds for all pabc £ ~D(Ha ®Hb® He), 

H min (A\BC) > H miQ (AB\C) - H m . Ay {B). 

Finally, we need the following lemma. 

Lemma 29. For any state pxye G D(Hx ® Hy ®He) that is classical on X and Y it 
holds that 

H min (XE\Y = y)> H min (X\Y = y) (10) 

for every y G y. 

Proof. Note that it suffices to show that A max (/9^ :£; ) < X m ax(px) holds for every y G y. 
Because p v XE is classical on X, there exists a unitary U acting on Hx such that p v XE := 
(U <g> I^;)p^ £; (C/^ ® I^) is classical with respect to the computational basis {|x)} l6 ^ on 
Hx with X := [d]. In particular, this means that p v XE has block-diagonal structure: 

-P x \y{l\y)p£ y 

PXE = E P X\Y{x\y)\x){A® P X E = 

xm [ P xlY (d\y)p d /, 

Note that because U is unitary, has the same eigenvalues as p v XE , where these eigen- 
values are given by the union of the eigenvalues of the blocks on the diagonal of p y XE ' 
From this we see that the largest eigenvalue of p y XE (and thus of p v XE ) cannot be larger 
than the largest eigenvalue of p v x := tr e(Pxe) ( an d thus of p v x ). □ 
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Proof of Lemma [5| . By (pQ) it is equivalent to show that 

Pgaess (X\YE) < Pgucss (X\Y) 2 H ^ E \ 
Using Proposition 1271 we write 

PgaeBS (x\EY) = Y,Py(y)p g n CSS (x\E,Y = y) = £iV(y) 2-^(^1^=2/) 

v y 

V 

< 2 H ™*W Y / PY(y)2- H ^ {XlY=y) = 2 H ™^p gucss (X\Y), 
y 

where the first inequality is Proposition [281 an d the second inequality follows by Lemmal29l 
Hence, the claim follows. □ 



C Proof of Lemma [15 



Proof. Let u,j3 G C be such that 0« := (a|0) + /3|1),/3|0) - a|l)}. (We can always find 
such a and Writing out the measurement explicitly gives 

iV^WOKMO = l(«(0| +/3(l|)^|x 4 )| 2 and 
iV^W^Mi) = |(/3(0| -a(l|)^|x,)| 2 . 

Hence, it suffices to prove that 

|(a(0| + /3<l|)ff 6 ^)| 2 = |(/3(0| - © 1)| 2 (11) 

for every Xi,bi G {0, 1}. 

We first show (jlip for 6j = 0. Let ai be the first Pauli matrix defined by o~\\a) = |a©l) 
for every a G {0, 1}. It follows immediately from the definition that o\ is a unitary matrix 
and it is easy to see that o~\ is Hermitian. Then, 

|(a(0| + /3(l|)|x 4 )| 2 = |(a(0| + P(l\)<n°i\*i)\ 2 = |(a(l| + /3(0|)|x 4 © 1)| 2 
= |(/3(0|-a(l|)|x 4 ffil)| 2 

The last equation follows because the expression equals either |a| 2 or |/3| 2 (depending on 
Xi G {0, 1}), hence we may freely change the sign of a. For b% = 1, we have 

|(a(0| + m)H\ Xi )\ 2 = |(a(0| + /3(1|)(|0> + (-1)^|1>)| 2 = |a + (-1)^/?| 2 

and 

|(/3(0| - a(l|)^|xi © 1)| 2 = |(/3<0| - a(l|)(|0) - (-1)^|1>)| 2 = |/3 + (-l^al 2 . 
We see that those expressions are equal for every Xj G {0, 1}. □ 



33 



